|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2004-05-20 17:03 UTC] overflow at neuf dot fr
Description: ------------ upload php vulnerability for $_FILES['userfile']['name'] can contain string "../" if the name start with a "." with a fake raw http : Content-Disposition: form-data; name="userfile"; filename="../../../test.html" Reproduce code: --------------- http://slythers.tcpteam.org/uploadphpvuln.txt Expected result: ---------------- security vulnerability in upload script PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 17:00:01 2025 UTC |
Oh, yes. I have try to analyze this question, and got following result: If Post data looks like this: Content-Disposition: form-data; name="userfile"; filename="../test.html" Variable $_FILES['userfile']['name'] initializes with value "../test.html" And one more example code taken from PHP manual: -------- $uploaddir = '/var/www/uploads/'; $uploadfile = $uploaddir . $_FILES['userfile']['name']; if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { -------- Trying to copy file into '/var/www/uploads/../test.html And in opinien this situation potential dangerous.